Wednesday, August 6, 2008

And here I thought that the defeat of SB 1096 in the California Assemblywas a landmark victory for the right to keep ones prescription medical records private! While it did represent a critical victory over drug marketers, pharmaceutical companies and retailers, the bad news is that health and life insurance companies have recently developed a "powerful new tool" to access consumer prescription drug records.

By accessing peoples' health "credit reports" - drawn from databases containing prescription drug records on more than 200 million Americans - these companies say they can better determine whether to cover individual consumers.

Collecting and analyzing personal health information in commercial databases is a fledgling industry, but one poised to take off as the nation enters the age of electronic medical records. While lawmakers debate how best to oversee the shift to computerized records, some insurers have already begun testing systems that tap into not only prescription drug information, but also data about patients held by clinical and pathological laboratories.

...

But the practice also illustrates how electronic data gathered for one purpose can be used and marketed for another -- often without consumers' knowledge, privacy advocates say. And they argue that although consumers sign consent forms, they effectively have to authorize the data release if they want insurance.

"As health care moves into the digital age, there are more and more companies holding vast amounts of patients' health information," said Joy Pritts, research professor at Georgetown University's Health Policy Institute. "Most people don't even know these organizations exist. Unfortunately the federal health privacy rule does not cover many of them. . . . The lack of transparency with how all of this works is disturbing." Ingenix and Milliman create the profiles by plumbing rich databases of prescription drug histories kept by pharmacy benefit managers (PBMs), which help insurers process drug claims. Ingenix, for instance, has servers in the PBM data centers, updating the drug files as frequently as once a day......

Ingenix and Milliman officials stress that they provide data only with the patient's consent, as required by the Health Insurance Portability and Accountability Act (HIPAA), a 1996 law that governs personal health records information. ButHIPAA does not give the Department of Health and Human Services the ability to directly investigate or hold accountable entities, such as pharmacy benefit managers or companies such as Ingenix and Milliman, who are not covered by HIPAA.

A health privacy proposal pending in Congress would expand federal officials' ability to regulate such "downstream" organizations, audit their activities and impose civil fines. The bill also includes a prohibition on the sale of electronic medical records.

Tim Sparapani, senior legislative counsel at the American Civil Liberties Union, said that the products that Ingenix and Milliman are marketing represent the "commodification" of electronic medical records by third parties. "We've got to stop these practices before the marketplace is fully developed and patients lose all control over their medical information," he said.

The fight over control of ones private prescription records appears to be just getting started, and the more health records become electronic, the more parties will compete to sell more comprehensive patient information to insurers, further driving down prices, and the cycle continues.

Let's hope Bob Gellman's privacy protection tool (an independent privacy consultant in Washington) that requires users to consent before specific data, such as prescription histories, can be released, becomes the industry standard. But as he states, "To work, the tool must be independent of all who hold the data."

PRIVACY REVOLT! tackles the issues at the intersection of civil liberties and technology, with news and commentary on government and corporate surveillance, identity theft, data brokers, tracking devices, and the security of consumers' financial, medical, and phone records.

Privacy Bill List

We provide tracking and analysis of the most important privacy bills moving through the California state legislature.